cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2862
Views
5
Helpful
2
Replies

SSL certificates for CUCM, CUPS, CUC can you use SAN instead of lots of separate ones)

rogierboeken
Level 1
Level 1

hi

we are just finishing an upgrading from CUCM 8.6.4 and CUPS (8.6.5) and CUC 8.6 to CUCM/CUPS/CUC 10.5.(2?) and have a question about SSL certificates

we generated separate signing request for 

CUCM (publisher)

tomcat

CUPS

tomcat

cup-xmmp

CUC

tomcat

for cup-xmpp we had to use a SAN signing request as it needed the domain.com name as well

so that is 4 standard SSL certificates and 1 SAN certificate, with godaddy that is still quite a bit of money

The Jabber clients (11.5) are still not 100% happy as it is also showing a SSL issue with the CUCM-subs (so we need a certificate for that one too) and there is a configuration issue as it is also asking for cups-pub (without domain name) SSL certificate 

is it possible to generate 1 SAN SSL certificate for all these services,

cucm-pub.domain.com

cucm-sub.domain.com

cups-pub.domain.com (both tomcat and cup-xmmp)

cuc.domain.com

get it signed by Goddady (or other provider) and upload?

We also have 2 certificates for the edgeway core and edge (and those seem to be working fine so will leave that out of the equation for now)

Many thanks

2 Replies 2

Deepak Rawat
Cisco Employee
Cisco Employee

You can generate single CSR using SAN but that will only be applicable for CUCM and CUPS. For Unity Connection, you will still need to be issue a separate CSR.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/10_5_1/CUCM_BK_CE15D2A0_00_cucm-release-notes-1051/CUCM_BK_CE15D2A0_00_cucm-release-notes-1051_chapter_01.html#CUCM_RF_SEC52373_00

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118731-configure-san-00.html

Regards

Deepak

Jonathan Schulenberg
Hall of Fame
Hall of Fame

Not quite. Each CSR must be separated CA-signed and installed on it's intended node with the exception of the multi-server cert now supported on CUCM 10. For the same reason you cannot use a wildcard certificate because none of the products support being given the private key.

Other than the multi-server cert your only approach is to see if a CA will allow you to regenerate (without revoking) the same cert multiple times with additional CN/SANs. I have one coworker who does this with I believe Thawte. Personally I think it's a bad idea and a bastardization of how certs are supposed to work but sometimes the only thing people care about is the cost. This approach has at least there obvious downsides: 1) if you need to revoke one cert you just did it for your entire collab infrastructure; 2) the cert has SANs for your entire solution allowing a compromised component to impersonate another or allowing an attacker to easily discover the entire solution; 3) good luck convincing TAC that a dozen SANs is supported. There are several caveats over the years about the size of a cert needing to be under specific KB in size to fit on the phone firmware. Usually this cropped up with MS CAs who would add a ton of OIDs with Microsoft-Centric stuff. Eventually you learn that coloring outside the lines of what Cisco intended/assumed is more trouble than it's worth.

All of the subscribers in the cluster need the same certs. CUCM, CUC, IM&P, etc.

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html